3.3.0 Beta3: cannot access remote SAB anymore: "Access denied"

[sanderjo]

3.3.0 Beta3: cannot access remote SAB (on a VPS with public IP, so not behind NAT) anymore

... probably because of the new network / remote access settings.

I'll have to solve this remotely; it's a VPS

$ cat .sabnzbd/logs/sabnzbd.log | tail -20 | sed -e 's/x.y/1.2/g' 
2021-04-29 18:25:03,043::DEBUG::[__init__:351] Starting decoders
2021-04-29 18:25:03,045::DEBUG::[__init__:354] Starting scheduler
2021-04-29 18:25:03,045::DEBUG::[__init__:357] Starting dirscanner
2021-04-29 18:25:03,046::INFO::[dirscanner:117] Dirscanner starting up
2021-04-29 18:25:03,046::DEBUG::[__init__:360] Starting rating
2021-04-29 18:25:03,046::DEBUG::[__init__:363] Starting urlgrabber
2021-04-29 18:25:03,046::INFO::[notifier:122] Sending notification: SABnzbd - SABnzbd 3.3.0Beta3 started (type=startup, job_cat=None)
2021-04-29 18:25:03,047::DEBUG::[misc:393] Version check disabled by Debian/Ubuntu packaging
2021-04-29 18:25:03,047::DEBUG::[sabnzbdplus:1516] Using 3.4.54.18 as host address for Bonjour and SSDP
2021-04-29 18:25:03,140::INFO::[postproc:237] Completed Download Folder /home/sander/Downloads/complete is not on FAT
2021-04-29 18:25:03,152::DEBUG::[__init__:1106] Test IPv6: IPv6 test successful. Enabling IPv6
2021-04-29 18:25:03,152::DEBUG::[downloader:463] External IPv6 test result: True
2021-04-29 18:25:03,185::DEBUG::[downloader:467] SSL verification test: True
2021-04-29 18:34:29,069::DEBUG::[interface:140] Request GET / from 1.2.80.137 [Mozilla/5.0 (X11; CrOS x86_64 13729.84.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.130 Safari/537.36] {}
2021-04-29 18:34:29,070::INFO::[notifier:122] Sending notification: Warning - Refused connection from: 1.2.80.137 [Mozilla/5.0 (X11; CrOS x86_64 13729.84.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.130 Safari/537.36] (type=warning, job_cat=None)
2021-04-29 18:34:29,070::WARNING::[interface:376] Refused connection from: 1.2.80.137 [Mozilla/5.0 (X11; CrOS x86_64 13729.84.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.130 Safari/537.36]
2021-04-29 18:35:23,866::DEBUG::[interface:140] Request GET / from 1.2.80.137 [Mozilla/5.0 (X11; CrOS x86_64 13729.84.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.130 Safari/537.36] {}
2021-04-29 18:35:23,866::WARNING::[interface:376] Refused connection from: 1.2.80.137 [Mozilla/5.0 (X11; CrOS x86_64 13729.84.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.130 Safari/537.36]
2021-04-29 18:36:08,355::DEBUG::[interface:140] Request GET / from 1.2.80.137 [Mozilla/5.0 (X11; CrOS x86_64 13729.84.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.130 Safari/537.36] {}
2021-04-29 18:36:08,356::WARNING::[interface:376] Refused connection from: 1.2.80.137 [Mozilla/5.0 (X11; CrOS x86_64 13729.84.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.130 Safari/537.36]

[sanderjo]

Oh, this is annoying: start a fresh SAB instance:

./SABnzbd.py -f blabla98adsf98f98a.ini -s 0.0.0.0:7766 -b0

... but accessing it results in "Access denied" too. So I can't access a default SAB setup (on a public IP) remotely anymore?

2021-04-29 18:48:06,011::INFO::[notifier:122] Sending notification: SABnzbd - SABnzbd 3.3.0-develop started (type=startup, job_cat=None)
2021-04-29 18:48:13,380::INFO::[notifier:122] Sending notification: Warning - Refused connection from: 1.2.80.137 [Mozilla/5.0 (X11; CrOS x86_64 13729.84.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.130 Safari/537.36] (type=warning, job_cat=None)
2021-04-29 18:48:13,380::WARNING::[interface:376] Refused connection from: 1.2.80.137 [Mozilla/5.0 (X11; CrOS x86_64 13729.84.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.130 Safari/537.36]

[jcfp]

Looks like a side effect of #1859? No remote access by default, local_ranges isn't set to only private ranges are granted access, and the inbound connection isn't from such a range.

It does result in this kind of inconvenience for fresh, entirely remote setups. Editing the ini directly, or using a console browser to set local_ranges could work around this. Maybe there should be a command line option set, append to, or override the local_ranges setting?

[sanderjo]

Solved:

$ cat .sabnzbd/sabnzbd.ini | grep inet_exposure
inet_exposure = 4

and I can access SAB again

[sanderjo]

Looks like a side effect of #1859? No remote access by default, local_ranges isn't set to only private ranges are granted access, and the inbound connection isn't from such a range.

Yes, indeed.

It does result in this kind of inconvenience for fresh, entirely remote setups. Editing the ini directly, or using a console browser to set local_ranges could work around this. Maybe there should be a command line option set, append to, or override the local_ranges setting?

In my case: inet_exposure. And yes, I think defining (any) ini setting from the CLI at startup would be useful:

./SABnzbdp.py --inisetvalue "exposure = 4"

For now, setups on a fresh VPS (so: on public IPv4) would be:

1. start, so that sabnzbd.ini gets created, stop SAB
2. in sabnzbd.ini set inet_exposure = 4 (or 5, not sure)
3. start SAB again. Manually fill out settings

[sanderjo]

This is not handy for people running SABnzbd on a public IPv4 like on VPS / seedboxes. It is as-designed and as discussed, but quite unhandy.